Deloitte was breached last year, but investigators didn’t find out until March

Deloitte, one of the world’s largest accounting firms, was breached late last year. The incident caused some confidential emails, business plans, usernames and passwords belonging to U.S. companies and governmental agencies to be compromised.

The breach was reportedly focused on Deloitte’s U.S. business, which is headquartered in New York City. Although hackers are thought to have penetrated a company network around October or November 2016, the intrusion was not detected until March.

Deloitte brought in roughly $38 billion in revenue last fiscal year by selling financial consulting, accounting and cybersecurity services to government organizations and Fortune 500 corporations.

The breach was first reported by The Guardian.

In an email sent to CyberScoop, a Deloitte spokesperson confirmed that the reported breach had in fact occurred, but said that only a small number of clients were ultimately affected. Questions related specifically to when the incident originally happened or had been remediated were not answered.

Deloitte’s response to the issue included, according to the spokesperson, implementing a “comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte.”

The Guardian reported, citing an unnamed source, that the incident stemmed from a hacker breaking into the firm’s global email server by apparently taking control of an administrator level account, which provided unrestricted access. This account was not protected with two-step verification, according to The Guardian, allowing for the attacker to attempt multiple logins without the user ever becoming aware.

The email server in question reportedly stored emails sent to and from Deloitte’s 244,000 employees.

An investigation into the breach has been ongoing for at least six month, The Guardian reported.